Authentication System

SirrChat provides multiple flexible authentication methods, supporting everything from traditional passwords to modern blockchain signatures.

Authentication Methods

Blockchain Authentication

Passwordless authentication using blockchain wallets.

How It Works

1. Client signs a random message with private key
2. Server verifies signature and recovers wallet address
3. Verify address matches user account

Configuration Example

[auth.blockchain]
enabled = true
networks = ["ethereum", "bsc", "polygon"]

[auth.blockchain.rpc]
ethereum = "https://mainnet.infura.io/v3/YOUR-PROJECT-ID"
bsc = "https://bsc-dataseed.binance.org"
polygon = "https://polygon-rpc.com"

Supported Networks

• Ethereum (ETH)
• BNB Smart Chain (BSC)
• Polygon (MATIC)
• All EVM-compatible chains

Client Usage

// Generate signature
const message = `Login to SirrChat: ${timestamp}`;
const signature = await web3.eth.personal.sign(message, address);

// SMTP AUTH
AUTH BLOCKCHAIN
<address>
<signature>
<message>

LDAP Authentication

Integration with enterprise LDAP directory services.

Configuration

[auth.ldap]
enabled = true
server = "ldap://ldap.example.com:389"
bind_dn = "cn=admin,dc=example,dc=com"
bind_password = "password"
user_base = "ou=users,dc=example,dc=com"
user_filter = "(uid={username})"

Active Directory

[auth.ldap]
server = "ldap://dc.example.com:389"
bind_dn = "cn=Administrator,cn=Users,dc=example,dc=com"
bind_password = "password"
user_base = "cn=Users,dc=example,dc=com"
user_filter = "(sAMAccountName={username})"

PAM Authentication

Use Linux system accounts for authentication.

Configuration

[auth.pam]
enabled = true
service = "sirrchat"

PAM Configuration File

Create /etc/pam.d/sirrchat:

auth       required     pam_unix.so
account    required     pam_unix.so

Database Authentication

Traditional username/password authentication.

Configuration

[auth.database]
enabled = true
password_hash = "bcrypt"  # bcrypt, argon2, scrypt

Create User

sirrchatd user create \
  --username [email protected] \
  --password secretpassword

Multi-Factor Authentication (MFA)

TOTP

Time-based One-Time Password.

[auth.mfa]
enabled = true
issuer = "SirrChat"

Enable MFA

sirrchatd mfa enable --user [email protected]

Hardware Keys

Support for FIDO2/WebAuthn hardware keys.

[auth.mfa.webauthn]
enabled = true
rp_name = "SirrChat Mail Server"

Authentication Protocols

SASL Mechanisms

Supported SASL authentication mechanisms:

• PLAIN: Plain text password (requires TLS)
• LOGIN: Login authentication
• CRAM-MD5: Challenge-response authentication
• SCRAM-SHA-256: Secure authentication
• BLOCKCHAIN: Custom blockchain authentication

Configuration Example

[auth.sasl]
mechanisms = ["PLAIN", "LOGIN", "BLOCKCHAIN"]
require_tls = true

Access Control

IP Whitelist

[auth.access_control]
allowed_ips = ["192.168.1.0/24", "10.0.0.0/8"]

IP Blacklist

[auth.access_control]
blocked_ips = ["203.0.113.0/24"]

Geographic Restrictions

[auth.geo]
enabled = true
allowed_countries = ["US", "GB", "CA"]

Session Management

Session Configuration

[auth.session]
# Session timeout (seconds)
timeout = 3600

# Maximum concurrent sessions
max_sessions = 10

# Session token length
token_length = 32

Session Storage

• Memory: Fast but not persistent
• Redis: Distributed session management
• Database: Persistent storage

[auth.session.storage]
type = "redis"
redis_url = "redis://localhost:6379/0"

Password Policy

Password Requirements

[auth.password_policy]
min_length = 12
require_uppercase = true
require_lowercase = true
require_digits = true
require_special = true

Password History

[auth.password_policy]
remember_count = 5  # Remember last 5 passwords
expiry_days = 90    # Expire after 90 days

Security Features

Brute Force Protection

[auth.security]
max_attempts = 5
lockout_duration = 300  # 5 minutes

Anomaly Detection

[auth.anomaly_detection]
enabled = true
alert_on_new_ip = true
alert_on_new_device = true

Audit Logs

Logged Events

• Login attempts (success/failure)
• Password changes
• MFA status changes
• Session creation/destruction

Log Format

{
  "timestamp": "2025-01-15T10:30:00Z",
  "event": "login_success",
  "user": "[email protected]",
  "ip": "192.168.1.100",
  "method": "blockchain"
}

API Authentication

API Keys

sirrchatd api-key create --user [email protected]

OAuth 2.0

[auth.oauth]
enabled = true
provider = "custom"
client_id = "sirrchat"
client_secret = "secret"

Best Practices

1. Always Use TLS: Encrypt authentication credentials in transit
2. Enable MFA: Improve account security
3. Rotate Keys Regularly: Update API keys and passwords
4. Monitor Anomalies: Set up alert notifications
5. Principle of Least Privilege: Grant only necessary permissions

---

Related documentation:

• Configuration Guide
• Blockchain Integration
• Security Best Practices